P
US9866580B2ActiveUtilityPatentIndex 73

Forecasting and classifying cyber-attacks using neural embeddings

Assignee: IBMPriority: Feb 9, 2016Filed: Feb 9, 2016Granted: Jan 9, 2018
Est. expiryFeb 9, 2036(~9.6 yrs left)· nominal 20-yr term from priority
Inventors:AHMED MOHAMED NBAUGHMAN AARON KBEHNKEN JOHN FMARZORATI MAURO
G06N 3/042G06N 7/01G06N 7/005H04L 63/1433G06N 3/086H04L 63/1408
73
PatentIndex Score
2
Cited by
28
References
21
Claims

Abstract

A first collection including a first feature vector and a Q&A feature vector is constructed. A second collection is constructed from the first collection by inserting noise in at least one of the vectors. A third collection is constructed by crossing over at least one the vectors of the second collection with a corresponding vector of a fourth collection, migrating at least one of the vectors of the second collection with a corresponding vector of a fifth collection, or both. Using a forecasting configuration, a vector of the third collection is aged to generate a changed feature vector, the changed feature vector containing feature values expected at a future time. The changed feature vector is input into a trained neural network to predict a probability of the cyber-attack occurring at the future time.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 constructing a first collection, the first collection comprising a first feature vector and a Q&A feature vector; 
 constructing a second collection from the first collection by inserting noise data in at least one of the first feature vector and the Q&A feature vector, wherein the noise is inserted by changing an existing value in the first feature vector by a random amount; 
 further constructing a third collection by using at least one of (i) combining, to crossover, at least one of a first feature vector and a Q&A feature vector of the second collection with a corresponding at least one of a first feature vector and a Q&A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a first feature vector and a Q&A feature vector of the second collection with a corresponding at least one of a first feature vector and a Q&A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another; 
 aging, using a forecasting configuration, a first feature vector of the third collection to generate a changed feature vector, the changed feature vector containing feature values expected at a future time; 
 predicting, by inputting the changed feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time. 
 
     
     
       2. The method of  claim 1 , the combining to crossover further comprising:
 partitioning the first feature vector of the second collection into a first partition of a first size and second partition of a second size; 
 partitioning the first feature vector of the fourth collection into a first partition of the first size and second partition of the second size; and 
 constructing the first feature vector of the third collection by substituting the first partition in the first feature vector of the second collection with the first partition of the first feature vector of the fourth collection. 
 
     
     
       3. The method of  claim 1 , the combining to migrate further comprising:
 partitioning the first feature vector of the second collection into a first partition of a first size and second partition of a second size; 
 partitioning the first feature vector of the fifth collection into a first partition of the first size and second partition of the second size; and 
 constructing the first feature vector of the third collection by substituting the first partition in the first feature vector of the second collection with the first partition of the first feature vector of the fifth collection. 
 
     
     
       4. The method of  claim 1 , further comprising:
 further predicting, using the trained neural network, a classification of the cyber-attack occurring at the future time. 
 
     
     
       5. The method of  claim 1 , further comprising:
 extracting from the raw data of the data processing environment, a set of actual features, the actual features relating to an actual known cyber-attack on the data processing environment at a past time; 
 constructing a past first feature vector using the set of actual features and a corresponding set of expanded features; 
 constructing a past Q&A feature vector using a portion of the past first feature vector; and 
 training a neural network, to produce the trained neural network, using the past first feature vector and the past Q&A feature vector. 
 
     
     
       6. The method of  claim 5 , wherein the training causes the neural network to indicate a detection of the past cyber-attack with a greater than a threshold probability, and to indicate a class of the past cyber-attack. 
     
     
       7. The method of  claim 1 , further comprising:
 aging using a second forecasting configuration, a Q&A feature vector of the third collection to generate a changed Q&A feature vector, the changed Q&A feature vector containing Q&A feature values expected at the future time, wherein the predicting also inputs the changed Q&A feature vector in the trained neural network. 
 
     
     
       8. The method of  claim 1 , further comprising:
 evaluating the property of the second collection, wherein the third collection has an increased value of the property. 
 
     
     
       9. The method of  claim 8 , wherein the property is RECALL ONLY. 
     
     
       10. The method of  claim 1 , wherein the noise is inserted by adding a random value to the first feature vector. 
     
     
       11. The method of  claim 1 , wherein the noise is inserted by deleting an existing value from the first feature vector. 
     
     
       12. The method of  claim 1 , further comprising:
 constructing, from the first portion, NL corpora; and 
 submitting the NL question against the NL corpora using a Q&A system, wherein the Q&A system produces the answer corresponding to the NL question based on the NL corpora. 
 
     
     
       13. The method of  claim 12 , wherein the answer comprises a ranked list of sub-portions in the first portion, wherein a higher ranking sub-portion is more relevant in answering the NL question than a lower ranking sub-portion. 
     
     
       14. The method of  claim 1 , further comprising:
 extracting a set of Q&A features from the answer, a Q&A feature in the set of Q&A features being data with the characteristic; 
 creating a set of expanded Q&A features from the set of Q&A features; and 
 adding, to form the Q&A feature vector, the set of Q&A features, the set of expanded Q&A features, and a timestamp corresponding to a time of collection of the raw data. 
 
     
     
       15. The method of  claim 1 , wherein the identifying the first portion is according to an NLP-suitability rule, the rule being specific to the data processing environment. 
     
     
       16. The method of  claim 1 , further comprising:
 creating the first feature vector from raw data present in a data processing environment; 
 identifying in the first feature vector, a first portion, wherein the first portion is suitable for natural language processing (NLP); 
 constructing, from the first portion, a natural language (NL) question, the NL question being related to a future cyber-attack on the data processing environment; 
 constructing the Q&A feature vector based on a set of features present in an answer to the NL question. 
 
     
     
       17. The method of  claim 16 , further comprising:
 extracting a set of raw features from the raw data, a raw feature in the set of raw features being data with a characteristic, the characteristic being usable in detection of the cyber-attack; and 
 creating a set of expanded features from the set of raw features; and 
 adding, to form the first feature vector, the set of raw features, the set of expanded features, and a timestamp corresponding to a time of collection of the raw data. 
 
     
     
       18. The method of  claim 17 , further comprising:
 normalizing, as a part of creating the set of expanded features, a raw feature in the set of raw features to form an extended feature in the set of expanded features. 
 
     
     
       19. The method of  claim 17 , further comprising:
 deriving, as a part of creating the set of expanded features, an expanded feature in the set of expanded features from a raw feature in the set of raw features. 
 
     
     
       20. A computer program product comprising one or more computer-readable storage medium, and program instructions stored on at least one of the one or more storage medium, the stored program instructions comprising:
 program instructions to construct a first collection, the first collection comprising a first feature vector and a Q&A feature vector; 
 program instructions to construct a second collection from the first collection by inserting noise data in at least one of the first feature vector and the Q&A feature vector, wherein the noise is inserted by changing an existing value in the first feature vector by a random amount; 
 program instructions to further construct a third collection by using at least one of (i) combining, to crossover, at least one of a first feature vector and a Q&A feature vector of the second collection with a corresponding at least one of a first feature vector and a Q&A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a first feature vector and a Q&A feature vector of the second collection with a corresponding at least one of a first feature vector and a Q&A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another; 
 program instructions to age, using a forecasting configuration, a first feature vector of the third collection to generate a changed feature vector, the changed feature vector containing feature values expected at a future time; 
 program instructions to predict, by inputting the changed feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time. 
 
     
     
       21. A computer system comprising one or more processors, one or more computer-readable memories, and one or more computer-readable storage medium, and program instructions stored on at least one of the one or more storage medium for execution by at least one of the one or more processors via at least one of the one or more memories, the stored program instructions comprising:
 program instructions to construct a first collection, the first collection comprising a first feature vector and a Q&A feature vector; 
 program instructions to construct a second collection from the first collection by inserting noise data in at least one of the first feature vector and the Q&A feature vector, wherein the noise is inserted by changing an existing value in the first feature vector by a random amount; 
 program instructions to further construct a third collection by using at least one of (i) combining, to crossover, at least one of a first feature vector and a Q&A feature vector of the second collection with a corresponding at least one of a first feature vector and a Q&A feature vector of a fourth collection, wherein the second and the fourth collections have a property similar to one another, and (ii) combining, to migrate, at least one of a first feature vector and a Q&A feature vector of the second collection with a corresponding at least one of a first feature vector and a Q&A feature vector of a fifth collection, wherein the second and the fifth collections have a property distinct from one another; 
 program instructions to age, using a forecasting configuration, a first feature vector of the third collection to generate a changed feature vector, the changed feature vector containing feature values expected at a future time; 
 program instructions to predict, by inputting the changed feature vector in a trained neural network, a probability of the cyber-attack occurring at the future time.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.